CompTIA PenTest+ (PT0-002) — Question 430

A penetration tester has obtained shell access to a Windows host and wants to run a specially crafted binary for later execution using the ymic.exe process call create function. Which of the following OS or filesystem mechanisms is MOST likely to support this objective?

Answer options

• A. Alternate data streams
• B. PowerShell modules
• C. MP4 steganography
• D. ProcMon

Correct answer: A

Explanation

The correct answer is A, Alternate data streams, as they allow for the storage of data in a file without altering its main content, making it possible to hide executables for later execution. The other options do not provide a mechanism for storing and executing binaries in a hidden manner on the filesystem.